What are the responsibilities and job description for the Security Risk Officer position at Merchants Bank?
Merchants Bank has an opening for a Security Risk Officer. This position could work from any of our Merchants Bank branch locations in Minnesota or Wisconsin.
This role is responsibility for implementing, maintaining, and running the information and physical security program. This includes identifying, evaluating, mitigating, and reporting on legal and regulatory, IT Security (including cybersecurity), and physical security risk, while supporting and advancing business objectives in alignment with growth and financial performance expectations. Will proactively work with business units and managers to implement practices that meet agreed-on policies and standards for security. This position serves as collaborative liaison with Chief Risk Officer & IT on matters related to the budget for the information and physical security function.
Requires 5 years of experience in information security management including specific experience in the following areas: audit and exam response, incident response, reporting and information security program development. Also must have 5 years of general IT experience or 3 years of general IT experience and at least a 2-year degree in information security and 2 years of supervisory experience. A certification from an accredited association within the Information Security realm preferred. Must have excellent written and verbal communication abilities, be highly organized, a self-starter and willing to investigate.
Merchants Bank offers competitive wages and benefits for our full-time employees including health, dental, life, disability and vision insurance; flexible spending accounts, 401(k) and ESOP retirement plans; bonus plan; paid time off; tuition reimbursement; and a variety of voluntary supplemental insurance options.
Please click on Apply Now or apply in person at any Merchants Bank location. Questions can be emailed to hr@merchantsbank.com. Merchants Bank is an Equal Opportunity Employer of women, minorities, protected veterans and individuals with disabilities.
General Summary:
This is a working manager role with responsibility for implementing and running the information and physical security program for the Bank. The Security Risk Officer is responsible for identifying, evaluating, mitigating, and reporting on legal and regulatory, IT Security (including cybersecurity), and physical security risk, while supporting and advancing business objectives for the Company in alignment with growth and financial performance expectations.
Must possess a sound knowledge of business management and a working knowledge of cybersecurity and physical security technologies and systems covering the Company network and branch footprint as well as the broader digital ecosystem. This position is responsible for establishing and maintaining the information and physical security program to ensure that information assets and associated technology, applications, systems, infrastructure, processes, and physical locations are adequately protected in the environment in which we operate. This role will be the board approved Information Security Officer for the Company.
A key element of the role is working with the Chief Risk Officer and the Executive Leadership Team to determine acceptable levels of risk for the organization. Will proactively work with business units and managers to implement practices that meet agreed-on policies and standards for security. The Security Risk Officer should understand and articulate the impact of all security systems on the business and be able to communicate this to the board of directors and other senior stakeholders.
The Security Risk Officer must be knowledgeable about both internal and external business environments and ensure that systems are maintained in a fully functional and secure mode and are compliant with legal, regulatory, and contractual obligations. Serves as the process owner of the appropriate second-line assurance activities not only related to confidentiality, integrity, and availability, but also to the safety, privacy and recovery of information owned or processed by the business in compliance with regulatory requirements. This position understands that securing physical and information assets, associated technology, applications, systems and processes in the wider ecosystem in which the organization operates is as important as protecting information within the organization's perimeter.
Ultimately, is a business leader expected to maintain objectivity and a strong understanding that security and risk management are foundational but must be managed with balanced perspective about the ability of the business to deliver on its growth and performance goals and objectives.
Primary Responsibilities and Duties:Security Governance and Awareness:
Works effectively with Chief Risk Officer and all business units to facilitate security risk assessment(s) and risk management processes; sets expectations with business unit leaders, to own and accept the level of risk that have been deemed appropriate by the Enterprise Risk Management Committee for their specific risk appetite. Oversee management of information security related vendors per the organization’s vendor management program.
This role is responsibility for implementing, maintaining, and running the information and physical security program. This includes identifying, evaluating, mitigating, and reporting on legal and regulatory, IT Security (including cybersecurity), and physical security risk, while supporting and advancing business objectives in alignment with growth and financial performance expectations. Will proactively work with business units and managers to implement practices that meet agreed-on policies and standards for security. This position serves as collaborative liaison with Chief Risk Officer & IT on matters related to the budget for the information and physical security function.
Requires 5 years of experience in information security management including specific experience in the following areas: audit and exam response, incident response, reporting and information security program development. Also must have 5 years of general IT experience or 3 years of general IT experience and at least a 2-year degree in information security and 2 years of supervisory experience. A certification from an accredited association within the Information Security realm preferred. Must have excellent written and verbal communication abilities, be highly organized, a self-starter and willing to investigate.
Merchants Bank offers competitive wages and benefits for our full-time employees including health, dental, life, disability and vision insurance; flexible spending accounts, 401(k) and ESOP retirement plans; bonus plan; paid time off; tuition reimbursement; and a variety of voluntary supplemental insurance options.
Please click on Apply Now or apply in person at any Merchants Bank location. Questions can be emailed to hr@merchantsbank.com. Merchants Bank is an Equal Opportunity Employer of women, minorities, protected veterans and individuals with disabilities.
General Summary:
This is a working manager role with responsibility for implementing and running the information and physical security program for the Bank. The Security Risk Officer is responsible for identifying, evaluating, mitigating, and reporting on legal and regulatory, IT Security (including cybersecurity), and physical security risk, while supporting and advancing business objectives for the Company in alignment with growth and financial performance expectations.
Must possess a sound knowledge of business management and a working knowledge of cybersecurity and physical security technologies and systems covering the Company network and branch footprint as well as the broader digital ecosystem. This position is responsible for establishing and maintaining the information and physical security program to ensure that information assets and associated technology, applications, systems, infrastructure, processes, and physical locations are adequately protected in the environment in which we operate. This role will be the board approved Information Security Officer for the Company.
A key element of the role is working with the Chief Risk Officer and the Executive Leadership Team to determine acceptable levels of risk for the organization. Will proactively work with business units and managers to implement practices that meet agreed-on policies and standards for security. The Security Risk Officer should understand and articulate the impact of all security systems on the business and be able to communicate this to the board of directors and other senior stakeholders.
The Security Risk Officer must be knowledgeable about both internal and external business environments and ensure that systems are maintained in a fully functional and secure mode and are compliant with legal, regulatory, and contractual obligations. Serves as the process owner of the appropriate second-line assurance activities not only related to confidentiality, integrity, and availability, but also to the safety, privacy and recovery of information owned or processed by the business in compliance with regulatory requirements. This position understands that securing physical and information assets, associated technology, applications, systems and processes in the wider ecosystem in which the organization operates is as important as protecting information within the organization's perimeter.
Ultimately, is a business leader expected to maintain objectivity and a strong understanding that security and risk management are foundational but must be managed with balanced perspective about the ability of the business to deliver on its growth and performance goals and objectives.
Primary Responsibilities and Duties:Security Governance and Awareness:
- Provide regular reporting on the current status of all security programs to enterprise risk teams, senior business leaders and the board of directors as part of a strategic enterprise risk management program, thus supporting business outcomes.
- Develops, socializes and coordinates approval and implementation of security-related policies
- Direct the creation of information and physical security awareness training program for all employees, and approved system users, and establish and monitor metrics to measure the effectiveness of this security training program for the different audiences.
- Ensure the consistent application of security policies and standards across all technology projects, systems, and services, including privacy, risk management, compliance, and business continuity management.
- Provide clear security risk mitigating directives for projects in conjunction with Enterprise Risk Management framework, including the mandatory application of security controls.
- Maintain and operate the organization’s Information Security Program and procedures
- Review the Vulnerability Management Program and recommend improvements as well as ensuring segregation of duty and adequate and timely closure of audit findings.
- Maintain and operate the organization’s Identity and Access Management (IAM) Program and procedures.
- Maintain and operate the organization’s Vendor Management Program and procedures.
- Maintain and operate the organization’s Business Impact Analysis and Business Continuity Program (BCP) and procedures.
- Maintain and operate the organization’s Disaster Recovery Program and procedures to align with the BCP program.
- Maintain and oversee the physical security program of the organization including training.
- Ensure the organization’s technical asset management and system configuration standards are in alignment with information security protocols.
- Work with business line leaders and business-related projects to ensure systems and the related processes and procedures meet the organization’s security policies.
- Responsible for researching and maintaining appropriate risk management practices regarding information and physical security and assist management in the organization’s overall risk management process to follow regulatory requirements.
- Participate on behalf of the organization in general information security related and industry specific security information sharing programs.
- Serve as collaborative liaison with Chief Risk Officer & IT on matters related to the budget for the information and physical security function.
- Manages the cost-efficient information security organization, consisting of direct reports such as individuals in business continuity and IT operations) as defined within the Company’s organizational design structure for Risk Management. This includes hiring training, staff development, performance management and timely annual performance reviews for any assigned direct reports.
- Provide oversight of staff assisting with providing vendor, access management, and physical security
Works effectively with Chief Risk Officer and all business units to facilitate security risk assessment(s) and risk management processes; sets expectations with business unit leaders, to own and accept the level of risk that have been deemed appropriate by the Enterprise Risk Management Committee for their specific risk appetite. Oversee management of information security related vendors per the organization’s vendor management program.
- The employee will be expected to take responsibility to ensure that internal and external customers receive outstanding service.
- The employee may be asked to perform other duties as required by business needs.
- The employee will be expected to complete compliance and product knowledge assignments in a timely manner.
- 5 years of experience in information security management including specific experience in the following areas: audit and exam response, incident response, reporting and information security program development.
- Additionally, 5 years of general IT experience or 3 years of general IT experience and at least a 2-year degree in information security and 2 years of supervisory experience.
- Preferred certification from an accredited association within the Information Security realm
- Excellent written and verbal communication abilities.
- Ability to create and use new and existing Spreadsheets, Word documents, PowerPoint, Visio, and other tools to provide reporting information to organization leadership.
- Highly organized self-starter, curious, and willing to investigate and learn.
- Little or no discomfort caused by environmental factors.
- Some exposure to mental/visual fatigue resulting from research of complex systems issues.
- Some travel required.
- Hours may be unpredictable due to security response and research that must be performed outside of normal banking hours.
- Responsible to reporting to the Chief Risk Officer (CRO) for fulfillment of functions, responsibilities, and authority, and for their proper interpretation.
- Will have contact with the Executive Team, Board of Directors, regulators, auditors, department managers and staff, bank-wide managers, end-users, and third-party vendors.